-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Thursday 30 July 2015 at 4:12:35 PM, in <mid:55ba3ee3.7000...@gmail.com>, Viktor Dick wrote: > On 2015-07-30 16:39, MFPA wrote: >> On Thursday 30 July 2015 at 1:43:35 PM, in >> <mid:55ba1bf7.4090...@enigmail.net>, n...@enigmail.net wrote >>> BTW, as another example, several keys of >>> t...@gpgtools.org are faked (search for these keys and >>> the the interesting result). >> Sorry, I don't see a result that leaps out at me as >> interesting. Are you willing to elaborate? > I'd say if one searches on a keyserver, it is pretty > clear which key is real. Only if you download the key from the GPGTools website and find the key-id first. (If the GPGTools team shows their key ID or Fingerprint on their website, I failed to find it.) My output from searching a keyserver for "gpgtools.org":- - ----------------------------------------------------------------------- C:\TDM-GCC-32>gpg --search-keys t...@gpgtools.org gpg: using character set 'utf-8' gpg: data source: http://kronecker.scientia.net:11371 (1) GPGTools Team <t...@gpgtools.org> 2048 bit RSA key 0xDE13CCD892EFC169, created: 2013-09-13, exp ires: 2017-09-13 (2) GPGTools Team <t...@gpgtools.org> 2048 bit RSA key 0x93F6E721F7D75F75, created: 2013-09-13, exp ires: 2017-09-13 (3) GPGTools Team <t...@gpgtools.org> 2048 bit RSA key 0x07F7603CC8F5BBF1, created: 2013-09-13, exp ires: 2017-09-13 (4) *Key invalid; use 76D78F0500D026C4 GPG Tools Team <t...@gpgtools.org> 2048 bit RSA key 0x929D128A9EA002BA, created: 2013-09-13, exp ires: 2017-09-13 (5) George Nigg <t...@gpgtools.org> 2048 bit RSA key 0xD0863D5E46FA0F9F, created: 2013-07-12, exp ires: 2017-07-12 (6) GPGTools Team <t...@gpgtools.org> GPGMail Project Team (Official OpenPGP Key) <gpgmail-devel@list s.gpgma GPGTools Project Team (Official OpenPGP Key) <gpgtools-org@list s.gpgto 2048 bit DSA key 0x76D78F0500D026C4, created: 2010-08-19, exp ires: 2018-08-19 Keys 1-6 of 6 for "t...@gpgtools.org". Enter number(s), N)ext, or Q)uit > - ----------------------------------------------------------------------- Number 6 has more UIDs but nothing in the search listing tells me any key is clearly the one I want. When verifying a software download, the search would be the other way around. I would be checking a signature, so GnuPG would search the server for the key-id that made the signature, the signature would be good or bad, and the key would be the one their website says it should be or it wouldn't. (OK, there would quite probably be certifications vouching for the key as well, in case the site was hacked and now said a different key.) > I'm a bit worried because when > I search with Enigmail it does not show the signatures, > so from there they all seem equally valid. I do not use Enigmail, so couldn't comment. However, what would be different if one of the keys found happened to carry one of your proposed? - -- Best regards MFPA <mailto:2014-667rhzu3dc-lists-gro...@riseup.net> What's another word for synonym? -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJVuq8rXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwL1cH/3MxcfTEKp+Dlnj3pf//5dr4 sywvMnkv/7k7X0wEPApQVmlVH+6y0kFgOBK366oAKh32mq2muftcRIhOe/eH5pCJ PQvpjhmuqu7TvmIT9YlnnEcuWPMhK8iT8q1WqAwNJdFxv2WhzN6V+g/QcilDE4cD TQ6VyIvNp9Z6Nrrb9bl7DF8eh4jxiRtvyoT+JfL9l3qt3umqcuy/eTyt5YLOg03T V3jSherLB4eSyRFwxbOvccd9o9yZK8rVezD6Oul+dOUQbgBeuPrLfRG2E1sjLE2S fKj9NsZTmMOc3D2uSfwGNWb9vQtKnnvMosGX6PGvp9ESgvj5REXEJ4vCcwZUFxKI vgQBFgoAZgUCVbqvPF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45HRoAQCWIaBpOmDy7AruEsbWaJZUrt3I tCsfiO9kXYa5lBh4CgEA+xSPOnYEEaWXIqlouKAbKEt1JqqJ+k5ut5j68DbkBAo= =qAVG -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users